Home

Awesome

Best Practices for Open Source Developers

GitHub Super-Linter

Anyone is welcome to join our open discussions related to the group's mission and charter.

The BEST Working group is officially a Graduated-level working group within the OpenSSF <img align="right" src="https://github.com/ossf/tac/blob/main/files/images/OpenSSF_StagesBadges_graduated.png" width="100" height="100">>

<img align="right" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/ossf-best-goose.png" width="300" height="300">

Mission

Our Mission is to provide open source developers with security best practices recommendations and easy ways to learn and apply them.

We seek to fortify the open-source ecosystem by championing and embedding best security practices, thereby creating a digital environment where both developers and users can trust and rely on open-source solutions without hesitation.

Vision

<img align="top" src="https://github.com/ossf/wg-best-practices-os-developers/blob/main/img/OpenSSF%20Dev%20Best%20Practices%20Projects%20Relations.png">

Scope

The Developer Best Practices group wants to help identify and curate an accessible inventory of best practices

Strategy

To achieve our Mission and Vision, the BEST Working group will execute on the following strategy:

Roadmap

To deliver on our Strategy, the BEST Working Group will do the following:

Help build a community

Supply a Learning platform -Any free course can be integrated into the platform

Current Work

We welcome contributions, suggestions and updates to our projects. To contribute please fill in an issue or create a pull request.

We typically use the Simplest Possible Process (SPP) to publish and maintain the documents we publish; see the SPP documentation if you have questions about it.

Our work is organized into several discrete-yet-related projects that help us achieve our goals:

EffortDescriptionGit RepoSlack ChannelMailing List
Best Practices GuidesLonger reference documents on implementing specific secure techniques- Compiler Annotations for C and C++ (incubating), </p> - Compiler Options Hardening Guide for C and C++, </p> - Existing Guidelines for Developing and Distributing Secure Software, </p> - Package Manager Best Practices (incubating), </p> - npm Best Practices Guide, </p> - Source Code Management Platform Configuration Best Practices, </p> - Secure Coding Guide for Python,- #wg-best-practices-compilers, </p> - #wg-best-practices-scm
Concise Guides SIGsQuick Guidance around Open Source Software Develpment Good Practices- Concise Guide for Developing More Secure Software, </p> - Concise Guide for Evaluating Open Source SoftwareMailing List
Education SIG - (incubating)To provide industry standard secure software development training materials that will educate learners of all levels and backgrounds on how to create, compose, deploy, and maintain software securely using best practices in cyber and application security.EDU.SIGstream-01-security-educationMailing List
OpenSSF Best Practices Badge - formerly CII Best Practices badgeIdentifies FLOSS best practices & implements a badging system for those practices,
OpenSSF ScorecardAutomate analysis on the security posture of open source projectsOpenSSF Scorecard#scorecardContribute!
OpenSSF Scorecard — AllstarMonitors GitHub organizations or repositories for adherence to security best practicesAllstar#allstarContribute!
OpenSSF Security BaselineProvide avenue for particpants to help evolve the OpenSSF security baseline into a security baseline that can be applied to a broad range of software-based projectsOpenSSF Security Baseline#sig-security-baselineMailing List
Secure Software Development Fundamentals - online courseTeach software developers fundamentals of developing secure softwareGitHub
Memory Safety SIGThe Memory Safety SIG is a group working within the OpenSSF's Best Practices Working Group formed to advance and deliver upon The OpenSSF's Mobilization Plan - Stream 4.Git RepoSlackMailing List
The Security ToolbeltAssemble a “sterling” collection of capabilities (software frameworks, specifications, and human and automated processes) that work together to automatically list, scan, remediate, and secure the components flowing through the software supply chain that come together as software is written, built, deployed, consumed, and maintained. Each piece of the collection will represent an interoperable link in that supply chain, enabling adaptation and integration into the major upstream language toolchains, developer environments, and CI/CD systems.Security Toolbeltsecurity-toolbeltMailing List
Python Hardening Guide SIGA group working to document a secure coding guide for python and associates code examplesGit Repo#secure-coding-guide-for-python

Related resources

Past Work/Greatest Hits

Related Activities

There are many great projects both within and outside the Foundation that compliment and intersect our work here. Some other great projects/resources to explore:

Quick Start

Areas that need contributions

Where to file issues

Get Involved

Anyone is welcome to join our open discussions related to the group's mission and charter.

Meeting Times

Every 2 weeks, Tuesday 10am EST. The meeting invite is available on the public OSSF calendar

EffortMeeting TimesMeeting Notes/AgendaGit RepoSlack ChannelMailing List
Full WGEvery two weeks, Tuesday 7:00a PT/10:00a ET/1400 UTCMeeting NotesGit RepoSlackMailing List
C/C++ Compiler Hardening OptionsEvery two weeks, Thursday 6:00a PT/9:00a ET/1300 UTCMeeting NotesGit RepoSlackMailing List
EDU.SIGEvery 2 weeks, Wednesday 6:00a PT/9:00a ET/1400 UTCMeeting NotesGit RepoSlackMailing List
Memory Safety SIGEvery 2 weeks, Thursday 10:00a PT/1:00p ET/1500 UTCMeeting NotesGit RepoSlackMailing List
ScorecardEvery 2 weeks, Thursday 1:00p PT/4:00p ET/1800 UTCMeeting NotesGit RepoSlackMailing List
Security BaselineEvery other Tuesday @ 10:00am ESTMeeting MinutesGit RepoSlackMailing List
Python Hardening Guide SIGEvery two weeks, Monday 11AM ETMeeting NotesGit RepoSlackMailing List
EDU.SIG - Course Content CollabEvery week, Monday 1PM ETMeeting NotesGit RepoSlackMailing List

Meeting Notes

Meeting notes are maintained in a Google Doc found in the above table. If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

Governance

The CHARTER.md outlines the scope and governance of our group activities.

Project Maintainers

Project Collaborators

Project Contributors

Toolbelt Collaborators

A listing of our current and past group members.

Licenses

Unless otherwise specifically noted, software released by this working group is released under the Apache 2.0 license, and documentation is released under the CC-BY-4.0 license. Formal specifications would be licensed under the Community Specification License (though at this time we don't have any examples of that).

Charter

Like all OpenSSF working groups, this working group reports to the OpenSSF Technical Advisory Council (TAC). For more organizational information, see the OpenSSF Charter.

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.